Computer-Implemented Method for Determining an Operational State of an Industrial Plant

ABSTRACT

A computer-implemented method for determining an operational state of an industrial plant includes acquiring alarms raised within the plant and adding them to a pool of important alarms, determining whether a physical state of the plant indicated by a first alarm causes a second alarm or meets a predetermined state-dependent condition and, if so, moving the first alarm to a pool of informative alarms; and determining the operational state of the plant and/or a corrective action for improving this operational state based on the alarms in the pool of important alarms.

CROSS-REFERENCE TO RELATED APPLICATIONS

This patent application claims priority to International PatentApplication No. PCT/EP2020/054786, filed on Feb. 24, 2020, which isincorporated herein in its entirety by reference.

FIELD OF THE DISCLOSURE

The present disclosure relates to the determining of an operationalstate of an industrial plant from a plurality of alarms that are raisedwithin the plant.

BACKGROUND OF THE INVENTION

Industrial plants typically execute a given process according to a givenengineered recipe that sets out which actions are to be performed inwhich order. The successful execution of the process, and in particularthe quality of the finally obtained product, may critically depend onwhether the given recipe is adhered to. Therefore, an industrial plantneeds to be monitored in many places in order to detect any deviationsfrom the recipe, as well as equipment failure. Whenever somethingabnormal is detected, an alarm is raised.

By raising an alarm, the industrial plant calls for the attention of theplant operator, so that the operator may perform corrective action, suchas changing a faulty part or cleaning a clogged vessel. However, duringoperation of a complex plant, very many alarms may be raised at anygiven time. Akin to log files generated in computing systems, thesalient information may therefore be buried in a lot of noise, whichmakes it difficult to draw the right conclusions from the many alarms.In particular, a human operator faced with a flood of alarms may noteven know where to start fixing the problem.

WO 2019/104 296 A1 discloses an alarm management system to assist anoperator with identifying high priority alarms, based on the number ofevent occurrences.

BRIEF SUMMARY OF THE INVENTION

The present disclosure describes systems and methods for extracting,from a large set of alarms, those alarms that are particularlymeaningful for the operational state of the plant, so that theoperational state, and/or a corrective action for improving thisoperational state, may be readily determined.

Accordingly, in one embodiment, the present disclosure describes acomputer-implemented method for determining an operational state of anindustrial plant. The industrial plant is configured to execute a givenindustrial process, usually according to a given recipe. Such a recipedetails the sequence in which actions are to be performed on one or moreeducts in order to manufacture one or more products. In particular, atopology of the plant, comprising the different pieces of equipment andinterconnections between them, may be engineered to fit a previouslyengineered recipe.

Each piece of equipment may raise one or more alarms. The alarms thatare raised most frequently are so-called “service alarms” and “processalarms.”

Service alarms are raised in response to a service or an operation inthe industrial plant being interrupted or being unable to start. Inparticular, an industrial plant may be composed of process modules thatmay be interconnected and separated from one another again, so that froma given set of physical process modules available on a site, differentmodular plants may be assembled to manufacture different products. Insuch a setting, each physical process module provides one or moreservices. When the topology of the plant is engineered according to therecipe for executing the process, a physical process module may beinserted in a particular place for the reason that it provides a servicefor which there is a concrete need according to the recipe.

For example, the services may specifically comprise one or more of:heating or cooling a substance, and/or keeping the temperature of thesubstance at a desired value; stirring a substance; filling at least onevessel with a desired amount of a substance; discharging a desiredamount of a substance from at least one vessel; dosing a desired amountof a second substance into a first substance; intermixing a mixture oftwo or more substances by mechanical interaction with this mixture;distilling at least one substance from a mixture of two or moresubstances; transitioning at least one substance; and inertizing atleast one substance.

When performing each physical action to provide a service, certainvariables are monitored, and it is checked whether these variables meetpredetermined conditions. If such a condition is met, a process alarm israised. For example, process alarms may be raised in response to atemperature, a pressure, and/or a mass flow deviating from a nominalvalue or going beyond an upper or lower threshold value.

In particular, in modular industrial plants, each process module may beconfigured to monitor a mass flow and/or a pressure on each of its inputand output ports. Each module by itself does not “know” with which othermodules it will be interconnected, but monitoring mass flows and/orpressures on the ports nonetheless permits to detect many faults in theinteroperation of interconnected process modules. For example, a modulewhose inner equipment is working all right may not get enough eductsfrom an upstream module because a valve is closed, or a line is clogged.In this case, the pressure and mass flow at the input port of theworking module may drop too low. Likewise, if something is amiss in adownstream module, the output port of the working module may be pumpingagainst a closed valve in the input port of the downstream module. Inthis case, the pressure at the output port of the working module mayclimb too high, and the mass flow at this output port may drop to zero.At the same time, a temperature at this output port may climb too highif the mass flow is also supposed to transfer a heat flow to thedownstream module.

Process alarms are an indication that something is amiss, but they donot necessarily mean that the overall operation of the industrial plantis affected. Specifically, the alarm thresholds for process alarms maybe set relatively tight, so that, for example, an over-pressure may bephysically tolerated by the plant for some time. If corrective actioncan be taken within that time, operation of the plant may continueuninterrupted.

Service alarms, however, mean that some concrete action that is supposedto be performed according to the recipe of the process cannot beperformed. If the product of the service cannot be obtained from anothersource, like from another module connected in parallel with the faultyone, or from some reservoir, then the fault indicated by the servicealarm may bring the industrial process as a whole to a halt.

Therefore, in the context of the industrial plant, service alarms mayhave a higher priority than process alarms, and so provide informationuseful to the systems and methods described herein.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING(S)

FIG. 1 is a flowchart for a method in accordance with the disclosure.

FIG. 2 is a diagram of an exemplary dosing module with sources forprocess alarms in accordance with the disclosure.

FIG. 3 is a diagram of an exemplary simple plant composed of two dosingmodules in accordance with the disclosure.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 is a schematic flow chart of an exemplary embodiment of a method100, the method 100 being implemented for determining an operationalstate of an industrial plant. In step 110 of the method 100, a pluralityof alarms 2 raised within the plant 1 is acquired. These alarms areinitially all added to a pool 3 a of important alarms 2.

In step 120, it is determined whether physical states 1 c of the plant 1indicated by first acquired alarms 2 have caused second alarms 2′ thathave also been acquired. Where such cause-effect pairs 2, 2′ are found,the respective first alarm (the cause) 2 is moved to the pool 3 b ofinformative alarms in step 130.

In step 140, it is determined whether an alarm 2 fulfils a condition 5for not being relevant in the concrete physical state 1 c of the plant 1to which it pertains. If this is the case (truth value 1), this alarm 2is moved to the pool 3 b of informative alarms 2 in step 150.

In step 160, the operational state 1 a of the plant 1, and/or acorrective action 1 b for improving this operational state 1 a, isdetermined based on the alarms 2 that are still in the pool 3 a ofimportant alarms 2 (i.e., alarms 2 that have not been moved to the pool3 b of informative alarms 2). The pool 3 a of important alarms and thepool 3 b of informative alarms remain available for further evaluation.

In step 170, representations of the alarms 2′ in the pool 3 a ofimportant alarms 2 may be rendered on a display device. In step 175,hyperlinks from these alarms 2′ to other alarms 2 that were moved to thepool 3 b of informative alarms by virtue of these important alarms 2′may be provided.

In step 180, a representation of a physical state 1 c that has caused analarm 2 to be moved to the pool 3 b of informative alarms 2 may berendered on the display device. In step 185, a hyperlink to that alarm 2may be provided.

In step 190, a control signal may be provided to at least one actuatorof the plant, so as to move the plant 1 to a more favorable physicalstate 1 c.

Inside box 120, embodiments are detailed as to how cause-effectrelationships between alarms 2 and 2′ may be established.

According to block 121, such relationships may be established based on aset of rules 4.

According to block 128, relationships are specifically establishedbetween process alarms 2 b and service alarms 2 a that are raised withina same physical process module 10, 10′ that defines a set of availableservices.

According to block 129, the behavior of the plant 1 is simulated inorder to establish cause-effect relationships.

Inside box 121, exemplary embodiments are detailed as to how rules 4 maybe obtained.

According to block 122, resources utilized by a service or operation maybe determined, and according to block 123, a rule may be created that inresponse to at least one process alarm 2 b that this resource may raise,a service alarm 2 a is to be raised.

According to block 124, it may be determined that a service or operationrequires some particular state 1 c of the plant 1 or a part thereof.According to block 125, it may be determined that the raising of aprocess alarm 2 b will cause the plant 1 or part thereof to switch to astate 1 c different from the required state 1 c. In particular, thismay, according to block 125 a, be the outcome of a safety or interlockfunction in the topology of the plant 1. According to block 126, a rule4 may be created that in response to the process alarm 2 b being raised,a service alarm 2 a is to be raised.

According to block 127, at least one rule 4 may be generated based atleast in part on metadata of a process module interface. In particular,according to block 127 a, the process module interface may specificallycomprise at least one such rule 4.

FIG. 2 shows an exemplary dosing module 10. The dosing module 10 isconfigured to take in a substance via its input port 11 and deliverdefined quantities of it via its output port 12 a. A buffer vessel 16 isprovided to temporarily store the substance, so as to uncouple the speedand pressure with which the substance may be dosed to output port 12 afrom the speed and pressure with which the substance is available atinput port 11. The dosed substance is pumped to the output port 12 a bypump 17.

Thus, the dosing module 10 provides two services, i.e., possibleactions: “Fill” and “Dose”. To this end, the dosing module 10 has afirst valve 13 a in the line from the input port 11 to the buffer vessel16 and a second valve 13 b in the line from the buffer vessel 16 to theoutput port 12 a. For safety, there is also a relief valve 13 c in theline from the buffer vessel 16 to the relief port 12 b.

The three basic parameters that need to be monitored in the dosingmodule 10 are the pressure p₁ in the line from the input port 11 to thebuffer vessel 16, the pressure p₂ in the buffer vessel 16, and the massflow f in the line from the buffer vessel 16 to the output port 12 a.

The pressure p₁ is monitored by pressure sensor 14 a. If the pressure p₁climbs too high, then the valve 13 a will be automatically closed, and aprocess alarm 2 b will be raised. In this state, a further intake ofsubstance will not be possible, so a service alarm 2 a for the service“Fill” will be raised, and this causes the process alarm 2 b to be movedto the pool 3 b of informative alarms 2. If filling is in progress, itwill be put on hold.

The pressure p₂ is monitored by pressure sensor 14 b. If the pressure p₂climbs too high, the valve 13 c will be automatically opened, and aprocess alarm 2 b will be raised. In this state, a further intake ofsubstance will not be possible either, so again, a service alarm 2 a forthe service “Fill” will be raised, and if filling is in progress, itwill be put on hold. The service alarm 2 a will cause the process alarm2 b to be moved to the pool 3 b of informative alarms 2.

The mass flow f is monitored by flow sensor 15. If the mass flow f dropstoo low, a process alarm 2 b will be raised. In this state, a reliabledosing of substance is not possible, so a service alarm 2 a for theservice “Dose” will be raised, and pump 17 will be automaticallystopped. If dosing is in progress, depending on the magnitude of theshortfall in mass flow f, it will be temporarily stopped, or it will beaborted altogether. The service alarm 2 a will cause the process alarm 2b to be moved to the pool 3 b of informative alarms 2.

Thus, the process alarms 2 b raised by pressure sensors 14 a and 14 bmay affect the service “Fill”, and the process alarm 2 a raised by massflow sensor 15 may affect the service “Dose”. Any process alarms 2 bthat do not affect a service for which there is a service alarm 2 a (forexample, over-pressure p₂ while there is a service alarm 2 a for dosing)will remain in the pool 3 a of important alarms 2.

The relationships between the different process alarms 2 b on the onehand, and service alarms 2 a, automatic actions on equipment andconsequences for currently running services on the other hand, are allcontained in the metadata in the process module interface according tothe Module Type Package, MTP. This MTP also contains requirements forthe operation of each service. For the service “Fill”, the valve 13 a inthe filling line to the buffer vessel 16 must be open, but the reliefvalve 13 c from this buffer vessel 16 to the relief port 12 b must beclosed. For the service “Dose”, the valve 13 b in the line to the pump17 must be open, and the pump 17 must be running.

If the running of a service is intended, but one of the conditions forthis service is not fulfilled for whatever reason (such as a valve beingopened or closed due to a process alarm 2 a, or a power failure at thepump 17), then a service alarm 2 a for the respective service is raised.Note that in this example, the requirements for the services “Fill” and“Dose” do not contradict each other, so both services may run at thesame time. If the running of a service is not intended, violation of therespective conditions will not cause a service alarm 2 a.

FIG. 3 shows a very simple plant 1 composed of two dosing modules 10,10′. The output port 12 a of the first dosing module 10 is connected tothe input port 11′ of the second dosing module 10′. Like the firstdosing module 10, the second dosing module 10′ also has its output port12 a′ and relief port 12 b′.

As discussed before, alarms can propagate in this plant, for example,from the second dosing module 10′ to the first dosing module 10. If thepressure pi in the second dosing module 10′ climbs too high, then thevalve 13 a in the input port 11′ will be closed. The source of thisexcess pressure is the active “Dose” service in the first dosing module10. The high pressure p1 in the second dosing module 10′ will affect themass flow fin the first dosing module 10 because its pump 17 is pumpingagainst the closed valve 13 a in the input port 11′ of the second dosingmodule 10′. This in turn will cause a service alarm 2 a for the service“Dose” in the first dosing module 10.

From the examples presented above, it is evident that a single event,like a closed valve on the input port of one faulty module, may triggermultiple alarms, like the over-pressure, over-temperature and under-flowon the output port of the upstream module. On top of those alarms, thefaulty module itself is likely to raise more process alarms, and if thefault cannot be compensated somehow, a service alarm may be raised. Ifall these alarms are presented to an operator, the operator may beoverwhelmed by the information overflow and not know where to startfixing the problem. Likewise, if the operational state of the plant isevaluated by machine, it is difficult to extract the salient informationfrom the noise.

The method that addresses this problem starts with acquiring a pluralityof alarms raised within the plant. Initially, all these alarms are addedto a pool of important alarms. Later, the operational state of theplant, and/or a corrective action for improving this operational state,will be determined based on the alarms in the pool of important alarms.But first, the alarms are filtered according to one or both of twocriteria presented in the following, and this filtering results in somealarms being moved from the pool of important alarms to a pool ofinformative alarms. Here, “informative” may specifically mean that thealarms are not presented for immediate attention, but kept on file fortracking down problems in the plant that have given rise to the alarms.

It may be determined, for at least one first acquired alarm, whether aphysical state of the plant or any part thereof indicated by this alarmhas caused the raising of a second alarm that has also been acquired.This determining is based at least in part on the topology of the plant,and/or on the given industrial process, and/or on a physical state ofthe plant or any part thereof. If said state indicated by the firstalarm has caused the second alarm to be raised, then the first alarm ismoved from the pool of important alarms to the pool of informativealarms.

The reasoning behind this is that in the context of industrial plants,if a state indicated by a first alarm causes a second alarm to beraised, the likelihood is high that this second alarm represents anescalation of the problem that needs fixing more urgently than theinitial problem indicated by the first alarm. A proverb frompre-industrial times says: “For want of a nail, the shoe was lost; forwant of a shoe, the horse was lost; for want of a horse, the rider waslost; for want of a rider, the battle was lost; for want of a battle,the kingdom was lost; and all for the want of a nail.” This is all themore true in an industrial setting where the recipe of the processexplicitly dictates dependencies between successive processing steps,and also between different pieces of equipment.

In the example presented above, the root cause of the closed valve inthe input port of the faulty module may have been an over-pressure in areaction vessel of this faulty module. By virtue of a safety interlockcircuit, in response to the over-pressure that has caused a firstprocess alarm to be raised, the valve on the input port of the faultymodule was closed. This in turn caused the further process alarms on theoutput port of the upstream working module to be raised. On top of that,more process alarms may be raised in the faulty module, such as a lowmass flow at the input port, an over-temperature in the reaction vesselbecause this vessel is no longer being cooled sufficiently by this massflow, and a low mass flow at the output port. The ultimate consequenceof the initial fault may be that further downstream, too little of theproduct to be produced by the faulty module is available, and a servicethat needs this product comes to a halt for this reason, raising aservice alarm.

In this case, what really needs attention is the service alarm becausethis has the potential to bring the complete process to a halt. To avoidthis consequence, the effort for remedy should be focused in exactlythis place, as in: “Get more of this substance into this service now, nomatter what, and worry about everything else later.” The best short-termsolution may be totally unrelated to the root cause of the problem. Forexample, the input port of the module whose service has stopped workingmay be connected to a different process module that supplies the neededsubstance, or even to an emergency reservoir of this needed substance,so that the process may continue while the root cause is being trackeddown. If the operator had instead been presented the plethora of processalarms, then this might have given rise to a considerably lessappropriate reaction, namely starting to work in detail on the faultymodule while the plant produces nothing. This may be done later, and thealarms from the pool of informative alarms may then be used to trackdown the root cause.

The example shows that in particular, each of the acquired alarms may belabeled with a priority, and a first alarm may be moved into the pool ofinformative alarms if the state indicated by this first alarm has causeda second alarm with a higher priority than the first alarm to be raised.But even if only alarms of the same priority (such as only processalarms) are considered, there is still the tendency that the problemindicated by the second alarm is amplified compared with the problemindicated by the first alarm.

In this example, the best short-term remedy, namely getting the neededsubstance into the service that is down, would also have been obtainedby the very simple method of just moving all process alarms to the poolof informative alarms, keeping only the service alarms in the categoryof important alarms. But this would eliminate the opportunity to spotany other problems at an early stage before they become big problems. Asdiscussed above, the whole point of having process alarms is to be ableto remedy problems before they escalate into the interruption of aservice, or even of the industrial process as a whole. By limiting theclassifying of alarms as “informative” to alarms that are in a causalchain with an important alarm, salient information in other processalarms is kept, so the signal-to-noise ratio is improved withoutincreasing the propensity of bigger problems developing.

Alternatively or in combination with said classifying based on a causalchain, it may be determined, for at least one acquired alarm, based atleast in part on the topology of the plant, and/or on the givenindustrial process, in combination with a physical state of the plant orany part thereof, whether a predetermined state-dependent condition ismet. If this condition is met, then the alarm is moved from the pool ofimportant alarms to the pool of informative alarms. The reasoning behindthis is that many conditions which cause a process alarm to be raisedare only relevant for the functioning of the industrial process as awhole during certain situations.

In a toy example, for a roll-on, roll-off car ferry, it is certainlyadvantageous to emit an audible warning on the bridge if the ferry isabout to leave port with the big loading door still open. An open dooris not a problem while the ferry is moored in port being loaded.Nonetheless, the sensors that register whether the door is open shouldbe working all the time, so that it can be immediately recognized ifthere is a problem. But the audible alarm should not ring all the timewhile the ship is moored in port.

By filtering out process alarms that are not relevant due to thesituation, unnecessary clutter of alarms is avoided, while themonitoring of the variables within the plant may still be kept active.

For example, while a service alarm for a particular service may normallyhave a higher priority than process alarms, the service alarm is onlyrelevant for the process as a whole if it occurs at a time where thisservice is actually needed. There may be many services that are neededonly intermittently, so during times where a service is not needed, itdoes not matter if the state of the plant does not permit the startingof the service.

This is particularly important in a situation where one process moduleis used in the plant as a shared resource to make products that will beused as educts in different downstream services. For example, one andthe same tempering module may be used at one time to heat substance Afor use in a first downstream module, and it may be used at another timeto cool substance B for use in a second downstream module. At any onetime, either the first or the second downstream module may be active,but they can never be active at the same time. Therefore, at any time,there will be a service alarm for one of the two downstream modules,even though the plant is exactly working as intended. Every alarm behindwhich there is no real problem in the plant is a bad thing because ithas a tendency to de-sensitize operators with respect to alarms. Thenext time an alarm occurs, they may think “well, it's just the one thatis always on, no problem”, but if they think wrong, they do not react toit when they in fact should.

Both methods of filtering, namely filtering according to causal chainsand filtering according to state-dependent conditions, may be used insequence. The order of the sequence has an influence on the final resultand may be chosen according to the concrete needs of the industrialplant under consideration.

For example, in the case of a causal chain of process alarms escalatingup to a service alarm, evaluating the causal chain first will cause allthe process alarms to be classified as informative alarms, so that onlythe service alarm will remain as an important alarm. If it is thendetermined that the service alarm is not important because the serviceis not currently being used, then all the alarms will be in the pool ofinformative alarms, and none will remain in the pool of importantalarms. If, however, the service alarm is classified as informative onlybecause the service is not currently being used, and then the causalchain of the process alarms is evaluated, then the last process alarmthat was raised before the escalation to a service alarm will remain inthe pool of important alarms. All other alarms will be in the pool ofinformative alarms.

In a particularly advantageous embodiment, the determining whether aprocess alarm has caused a service alarm is based at least in part on aset of rules. Each rule specifies that in response to one or moreprocess alarms, a service alarm is to be raised.

For example, a combined stirring and mixing module that takes in twosubstances and mixes them by stirring may raise a service alarm for theservice “stirring and mixing” if the mass flow of either substance isbelow a threshold value, if the pressure in the mixing vessel climbs toohigh, or if the motor current for the stirrer is above a thresholdvalue. For each variable, there may be different process alarmsassociated with different thresholds. For example, at a first threshold,a “high” process alarm for the pressure may be raised, and at a second,higher threshold, a “high-high” process alarm for the same pressure maybe raised. The rule may then stipulate that only a “high-high” pressurewill raise a service alarm, so that the service alarm may remain in thepool of important alarms, while the high-high pressure process alarm maybe moved to the pool of informative alarms. If the pressure is only highenough to raise a high pressure process alarm, no service alarm may beraised, and the high pressure process alarm may remain in the pool ofimportant alarms.

Rules may also combine several conditions. For example, the overcurrentin the stirrer motor may only cause a service alarm if it persists for alonger time than the motor is designed to tolerate this overcurrent.

The rules in the set of rules may come from any source. In particular,they may be engineered. But preferably, as many rules as possible aregenerated automatically.

One way to achieve this is to determine, for at least one service oroperation of the plant, that this service or operation utilizes at leastone resource of the plant. In a modular plant, this resource may residewithin the same module, but the resource may also, for example, beanother module from which the module that executes the service oroperation gets an input. For at least one process alarm that the usedresource is able to raise, a rule may then be created that in responseto this process alarm being raised, a service alarm is to be raised.

This may be refined in that the process alarm that may cause the raisingof a service alarm must specifically relate to a state variable on whichthe functioning of the service depends. For example, if a servicedownstream of said stirring and mixing module requires a certain massflow of stirred and mixed product, a process alarm of the stirring andmixing module that indicates a low output mass flow of the product maycause a service alarm of the downstream service to be raised. But theovercurrent in the stirrer motor does not have an immediate effect onthe quality or quantity of stirred and mixed product, so this processalarm may not cause a service alarm for the downstream service to beraised.

Another way to generate rules starts with determining that a service oroperation requires a particular state of the plant or any part thereof.Based at least in part on the topology of the plant, and/or on the givenindustrial process, it is then determined that the raising of aparticular process alarm will cause the plant or part thereof to switchto a state that is different from said required state. A rule is thencreated that in response to said process alarm being raised, a servicealarm is to be raised.

For example, the service or operation may require that certain valves beopen so that educts may be taken in and certain valves be closed so thatthe educts cannot escape before the service or operation is finished.But the raising of certain process alarms may immediately alter theconfiguration of the valves regardless of which configuration ispresently needed by the process. For example, if an overpressure in avessel is detected, a safety circuit may open a valve to relieve thepressure even though this valve was previously closed intentionally forthe performing of the service or operation. Also, the process alarm thatan enclosure of a module was manually opened may prompt an interlockcircuit to switch off certain hazardous components of the module, suchas a high-voltage power supply or a laser.

Therefore, it may be specifically determined based at least in part on asafety or interlock function in the topology of the plant that theraising of a particular process alarm will cause the plant or partthereof to switch to a state that is different from said required state.

In a case where the service specifically is a service provided by aprocess module of a modular industrial plant, the process alarms thatmay trigger a service alarms of this service may specifically be processalarms that are raised upon a predetermined condition being met withinthe same process module. Specifically, the process module may bedesigned to check all conditions for the functioning of the service bysensors of its own, without having to rely on a communication of processalarms from other modules. If the process module is self-contained inthis manner, the need for the monitoring of the required variables willnot place any further conditions on combinations of this module withother modules. Physical process modules from a given stock on site maythen be combined more flexibly.

In particular, at least one rule in the set of rules may be generatedbased at least in part on metadata of a process module interface. Forexample, this metadata may be obtained from a Module Type Package, MTP,description of the module that is currently being standardized as VDIstandard 2658. This ensures that even if modules from differentmanufacturers are being combined in the plant, the computerizedgeneration of rules will be able to evaluate the descriptions and drawthe right conclusions as to which process alarms may cause the raisingof which service alarms.

Specifically, at least one rule may already be built into the metadataof the process module interface (e.g., the MTP). In particular, if amodule is self-contained in the sense that it checks all conditions forthe functioning of its service on its own as described above, the rulesmay already be formulated at the time of engineering the module. Themodule may then be sold complete with the added value of the alarmmanagement, so that no additional work needs to be performed on-site toimplement this alarm management.

In a further particularly advantageous embodiment, the determiningwhether a physical state of the plant or any part thereof indicated by afirst acquired alarm has caused a second acquired alarm specificallycomprises simulating the behavior of the plant in response to saidphysical state. In this manner, the filtering of alarms described abovemay be extended to parts of the plant, such as modules, for which nomachine-readable metadata are available. For example, a modular plantmay also comprise older modules for which no MTP is available. Also, thetopology of the plant may contain interdependencies between moduleswhose behavior cannot be sufficiently described by pooling theinformation from the respective MTPs.

For example, a safety or interlock function in the topology of the plantthat is external to the modules is not described in any of the MTPs. Forexample, the factory floor on which a modular plant is assembled fromphysical process modules may be equipped with a water leakage detectorthat will shut off the supply of water in case of a leakage.

Therefore, the simulating may specifically include state changestriggered by a safety or interlock function in the topology of the plantin response to the state indicated by the first acquired alarm.

In a further particularly advantageous embodiment, representations ofthe alarms in the pool of important alarms are rendered on at least onedisplay device. As discussed before, the alarms appearing on the displaydevice are then a clearer and more concise indication for an operator ofthe plant as to which short-term corrective action shall be taken tokeep the plant as a whole functioning, or to return it to a functionalstate as quickly as possible.

Preferably, in association with a representation of at least one alarmin the pool of important alarms, at least one hyperlink to another alarmthat has been moved to the pool of informative alarms by virtue ofhaving caused the important alarm is provided. In this manner, theoperator is assisted in tracking down the root cause of the problem thathas given rise to the important alarm.

Alternatively or in combination, on the at least one display device, atleast one representation of a physical state that has caused the movingof at least one alarm from the pool of important alarms to the pool ofinformative alarms may be rendered. In this manner, the operator gets anindication why an alarm that he may expect is not being raised.

In the example of the tempering module being used either for heating orfor cooling, the representation of the physical state may indicate forwhich purpose the tempering module is presently being used. The operatorthen knows that while the module is being used for heating, no alarmsrelating to cooling will be displayed, and vice versa.

Optionally, a hyperlink to at least one alarm that has been moved to thepool of informative alarms by virtue of a particular physical state maybe provided in association with the representation of the physicalstate. This aids the operator in preparing the plant for a switch to adifferent physical state in which these alarms become relevant.

For example, if a process is being carried out in a vacuum and thechamber is open for maintenance, then a lot of alarms will not needimmediate attention because the process is currently not running anyway.Instead of the alarms, the display may then indicate that the pressurein the chamber is 1*10⁺³ mbar. But before pump down, the operator mayclick on this indication in order to check whether anything needs fixingwhile the chamber is still open. For example, if one of the processalarms indicates that the filament of an evaporator does not permit thepassage of any electrical current, the operator may be reminded of this,saving a disappointment after pump down.

In a further particularly advantageous embodiment, in response to atleast one alarm in the pool of important alarms, a control signal isprovided to at least one actuator of the plant. The purpose of thiscontrol signal is to move the plant towards a physical state in which

-   -   a problem that has given rise to the alarm is mitigated, and/or    -   a propensity for damage to the plant in case this problem        persists is reduced.

For example, if some substance is missing for operation of a service,then the control signal may serve to switch over to a different sourcefor this substance, such as another module producing this substance oran emergency reservoir for this substance.

A propensity for damage may, for example, be reduced by turning offcomponents that might be damaged if the problem persists or gets worse,or by shutting off one or more valves to contain the problem within apart of the plant.

As detailed above, many of the advantages of the methods are broughtabout by the computerization of the method. Therefore, the inventionalso provides a computer program with machine-readable instructionsthat, when executed by one or more computers, and/or an industrialcontrol system, cause the cone or more computers, and/or the industrialcontrol system, to perform the method described above. The inventionalso provides a non-transitory computer storage medium, and/or adownload product, with this computer program.

LIST OF REFERENCE SIGNS

1 industrial plant

1 a operational state of plant 1

1 b corrective action for improving operational state 1 a

1 c physical state of plant 1 or part thereof

2, 2′ alarms

2 a service alarm

2 b process alarm

3 a pool of important alarms 2

3 b pool of informative alarms 2

4 rules for cause-effect relationships between alarms 2, 2′

5 state-dependent condition for lesser relevancy of alarm 2

10, 10′ dosing modules

11, 11′ input port of dosing module 10, 10′

12 a, 12 a′ output port of dosing module 10, 10′

12 b, 12 b′ relief port of dosing module 10, 10′

13 a valve in input port 11, 11′

13 b valve leading to pump 17

13 c valve in relief port 12 b, 12 b′

14 a sensor for pressure p₁

14 b sensor for pressure p₂

15 sensor for mass flow f

16 buffer vessel

17 pump in output port 12 a, 12 a′

100 method

110 acquiring alarms 2

120 determining cause-effect relationships between alarms 2, 2′

121 determining relationship based on rules 4

122 determining utilization of resource

123 connecting process alarms 2 b of resource with service alarm 2 a

124 determining required state 1 c for service

125 determining that process alarm 2 a changes state 1 c

125 a determining 125 based on safety or interlock function

126 connecting process alarm 2 b with service alarm 2 a

127 generating rules 4 based on process module interface metadata

127 a obtaining rules 4 directly from process module interface metadata

128 connecting process alarms 2 b, service alarms 2 b within module 10,10′

129 simulating behavior of plant 1

130 moving “cause” alarms 2 to pool 3 b

140 determining whether alarm 2 is less relevant due to condition 5

150 moving alarm 2 to pool 3 b

160 evaluating operational state 1 a, corrective action 1 b

170 rendering representations of important alarms 2′ in pool 3 a

175 providing hyperlinks to alarms 2 in pool 3 b

180 rendering representation of state 1 c on which condition 5 depends

185 providing hyperlinks to alarms 2 sent to pool 3 b for condition 5

190 providing control signal to improve physical state 1 c of plant 1

All references, including publications, patent applications, andpatents, cited herein are hereby incorporated by reference to the sameextent as if each reference were individually and specifically indicatedto be incorporated by reference and were set forth in its entiretyherein.

The use of the terms “a” and “an” and “the” and “at least one” andsimilar referents in the context of describing the invention (especiallyin the context of the following claims) are to be construed to coverboth the singular and the plural, unless otherwise indicated herein orclearly contradicted by context. The use of the term “at least one”followed by a list of one or more items (for example, “at least one of Aand B”) is to be construed to mean one item selected from the listeditems (A or B) or any combination of two or more of the listed items (Aand B), unless otherwise indicated herein or clearly contradicted bycontext. The terms “comprising,” “having,” “including,” and “containing”are to be construed as open-ended terms (i.e., meaning “including, butnot limited to,”) unless otherwise noted. Recitation of ranges of valuesherein are merely intended to serve as a shorthand method of referringindividually to each separate value falling within the range, unlessotherwise indicated herein, and each separate value is incorporated intothe specification as if it were individually recited herein. All methodsdescribed herein can be performed in any suitable order unless otherwiseindicated herein or otherwise clearly contradicted by context. The useof any and all examples, or exemplary language (e.g., “such as”)provided herein, is intended merely to better illuminate the inventionand does not pose a limitation on the scope of the invention unlessotherwise claimed. No language in the specification should be construedas indicating any non-claimed element as essential to the practice ofthe invention.

Preferred embodiments of this invention are described herein, includingthe best mode known to the inventors for carrying out the invention.Variations of those preferred embodiments may become apparent to thoseof ordinary skill in the art upon reading the foregoing description. Theinventors expect skilled artisans to employ such variations asappropriate, and the inventors intend for the invention to be practicedotherwise than as specifically described herein. Accordingly, thisinvention includes all modifications and equivalents of the subjectmatter recited in the claims appended hereto as permitted by applicablelaw. Moreover, any combination of the above-described elements in allpossible variations thereof is encompassed by the invention unlessotherwise indicated herein or otherwise clearly contradicted by context.

What is claimed is:
 1. A computer-implemented method for determining anoperational state of an industrial plant, wherein the industrial plantis configured to execute a given industrial process, the methodcomprising: acquiring a plurality of alarms raised within the plant,adding the plurality of alarms to a pool of important alarms;determining, based at least in part on a topology of the plant, and/oron the given industrial process, and/or on a physical state of the plantor any part thereof, for at least one first acquired alarm from theplurality of alarms, whether a physical state of the plant or any partthereof indicated by the at least one first acquired alarm has caused asecond alarm that has also been acquired, wherein the second alarmrepresents an escalation of an initial problem indicated by the at leastone first acquired alarm that needs fixing more urgently than theinitial problem, and when the second alarm is present, moving the atleast one first acquired alarm from the pool of important alarms to apool of informative alarms; and determining the operational state of theplant, and/or a corrective action for improving this operational state,based on the alarms in the pool of important alarms.
 2. The method ofclaim 1, further comprising: determining, based at least in part on thetopology of the plant, and/or on the given industrial process, incombination with a physical state of the plant or any part thereof, forthe at least one first acquired alarm, whether a predeterminedstate-dependent condition is met, and at times when the pre-determinedstate-dependent condition is met, moving the at least one first acquiredalarm from the pool of important alarms to the pool of informativealarms.
 3. The method of claim 1, wherein each alarm in the plurality ofalarms is labeled with a priority and wherein the second acquired alarmcaused by a state indicated by the at least one first acquired alarm hasa higher priority than the at least one first acquired alarm.
 4. Themethod of claim 1, wherein the plurality of alarms comprises at least:alarms from a first category of service alarms that are raised inresponse to a service or an operation in the industrial plant beinginterrupted or being unable to start; and alarms from a second categoryof process alarms that are raised upon a predetermined condition beingmet for one or more physically acquired variables of the plant or anypart thereof, wherein the first category of service alarms has a higherpriority than the second category of process alarms.
 5. The method ofclaim 4, wherein the service or operation specifically comprises one ormore of: heating or cooling a substance, and/or keeping the temperatureof the substance at a desired value; stirring a substance; filling atleast one vessel with a desired amount of a substance; discharging adesired amount of a substance from at least one vessel; dosing a desiredamount of a second substance into a first substance; intermixing amixture of two or more substances by mechanical interaction with thismixture; distilling at least one substance from a mixture of two or moresubstances; transitioning at least one substance; and inertizing atleast one substance.
 6. The method of claim 4, wherein at least oneprocess alarm is specifically raised in response to a temperature, apressure, and/or a mass flow deviating from a nominal value or goingbeyond an upper or lower threshold value.
 7. The method of claim 4,wherein the determining whether a process alarm has caused a servicealarm is based at least in part on a set of rules, wherein each rulespecifies that in response to one or more process alarms, a servicealarm is to be raised.
 8. The method of claim 7, wherein at least onerule in the set of rules is generated by: determining that a service oroperation utilizes at least one resource of the plant; and for at leastone process alarm that this resource is able to raise, creating a rulethat in response to this process alarm being raised, a service alarm isto be raised.
 9. The method of claim 8, wherein the process alarm thatthe resource is able to raise specifically relates to a state variableon which the functioning of the service depends.
 10. The method of claim7, wherein at least one rule in the set of rules is generated by:determining that a service or operation requires a particular state ofthe plant or any part thereof; determining, based at least in part onthe topology of the plant, and/or on the given industrial process, thatthe raising of a particular process alarm will cause the plant or anypart thereof to switch to a state that is different from said requiredstate; and creating a rule that in response to said process alarm beingraised, a service alarm is to be raised.
 11. The method of claim 10,wherein it is specifically determined based at least in part on a safetyor interlock function in the topology of the plant that the raising of aparticular process alarm will cause the plant or any part thereof toswitch to a state that is different from said required state.
 12. Themethod of claim 4, wherein at least one service in the industrial plantspecifically is a service provided by a process module of the industrialplant, and process alarms that will trigger a service alarm of thisservice specifically are process alarms that are raised upon apredetermined condition being met within the same process module. 13.The method of claim 12, wherein at least one process alarm isspecifically raised in response to a temperature, a pressure, and/or amass flow deviating from a nominal value or going beyond an upper orlower threshold value, and wherein at least one rule in the set of rulesis generated based at least in part on metadata of a process moduleinterface.
 14. The method of claim 13, wherein the metadata of theprocess module interface specifically comprises at least one rule in theset of rules.
 15. The method of claim 1, wherein determining whether aphysical state of the plant or any part thereof indicated by the atleast one first acquired alarm has caused the second acquired alarmspecifically comprises simulating a behavior of the plant in response tothe physical state.
 16. The method of claim 15, wherein the simulatingspecifically includes state changes triggered by a safety or interlockfunction in a topology of the plant in response to the state indicatedby the at least one first acquired alarm.
 17. The method of claim 1,further comprising: rendering representations of the alarms in the poolof important alarms on at least one display device.
 18. The method ofclaim 17, further comprising: providing, in association with arepresentation of at least one alarm in the pool of important alarms, atleast one hyperlink to another alarm that has been moved to the pool ofinformative alarms by virtue of having caused the important alarm. 19.The method of claim 1, further comprising: rendering, on at least onedisplay device, at least one representation of a physical state that hascaused the moving of at least one alarm from the pool of importantalarms to the pool of informative alarms.
 20. The method of claim 19,further comprising: providing, in association with the representation ofthe physical state, a hyperlink to at least one alarm that has beenmoved to the pool of informative alarms by virtue of this state.
 21. Themethod of claim 1, further comprising: in response to at least one alarmin the pool of important alarms, providing a control signal to at leastone actuator of the plant, so as to move the plant towards a physicalstate in which a problem that has given rise to the alarm is mitigated,and/or a propensity for damage to the plant is reduced when the problempersists.